Your Employees are Your Highest Security Threat

For those who follow cybercrime (and I do), it seems like the news lately has been filled with dire warnings and events. For good or bad, the Equifax security breach positioned cyber security at the top of everyone’s minds. Many people felt, for the first time ever, “Wow, this is affecting me now!”

In some ways, the same sort of wake-up call is occurring in the law firm industry where we are seeing more and more high-profile, global firms being taken down by cybercriminals. Those of us who have worked in and serve the small- to mid-size firms find ourselves thinking, “Wow. If firms with all those resources are vulnerable, how vulnerable am I?!”

The International Legal Technology Association recently published the 5th annual Study of the Legal Industry’s Information Security Practices report and it reveals just how concerned we really are. The stated goals of the annual survey are to “answer persistent and difficult questions such as:”

  • Is my organization in step with what my peers and others are doing with respect to the use of technology and services to thwart various information security threats?
  • Is my organization adequately staffed and trained to ensure the optimal level of security to defend against a potential security breach?

Here are some of the report highlights that I found revelatory:

  • Careless Employees ranked as the highest information security threat to organizations, with over 60% of respondents identifying this as their primary concern.
  • The threats deemed most concerning encompass 1) Employee Negligence, 2) Phishing/Vishing Attacks, 3) Remote Social Engineering and 4) External Hacker.
  • Organizations are performing services to combat employee negligence, with 65% performing Information Security Training for Employees. (This is down by 23% since last year, a concerning trend with the root cause of many breaches attributed to employee actions, such as phishing scams or weak passwords.)
  • Information security training practices reflect that the majority of firms conduct training infrequently, either once, at the time an employee is hired, or annually.
  • The frequency of training is contrary to addressing the highest identified threat: employee negligence.
  • Even with the recognition of the importance of information security within law firms:

o The majority of respondents (65%) report that they have no staff dedicated exclusively to Information Security.

  • Budget Allocation
  • o Information Security (IS) budgets continue to be allocated as a part of the overall Information Technology budget.

    o 72% of respondents allocate 0 – 10% of the overall IT budget towards IS.

    Good News: Security Awareness Training is Affordable and Effective

    Are you taking the necessary precautions today to protect your firm from the next cyberattack? Criminals are becoming more sophisticated every day, constantly seeking ways to hack your network. No matter how many firewalls you’ve built, your biggest threat will always be that giant open door into your firm called “Email.” You need to teach your employees to recognize suspicious email so that they can be your first line of defense, instead of your weakest link.

    The KnowBe4 security awareness program was created by Kevin Mitnick, infamous hacker and now world-renowned security expert. The KnowBe4 platform starts with an education program that teaches your attorneys and staff how to recognize suspicious emails. Then, you can create simulated phishing emails that you send throughout your law firm. From the results, you know the types of emails that your employees need help recognizing as suspicious and the people who need extra training.

    And you will get nearly instantaneous results. We have learned that people are less likely to click on a fake email after experiencing one simulation in which they fail. (ie. If they click on a fake phishing scam and discover that they were suckered, they are 20% less likely to do it again.) And that’s after just one simulation! Imagine if you had an ongoing phishing simulation/training program to help your employees keep their guard up!

    As a partner with KnowBe4, I can help you create compelling, fake emails, push them out to your firm, track the people who are vulnerable, and educate everyone to be more astute when they click! We recently helped a firm drop from a 20% fail rate to a 4% fail rate using KnowBe4. Read about their success here.

    Here’s how it works:

    • You become a KnowBe4 client
    • Upload your users to the system
    • Launch a baseline phishing test using any number of templates
    • Using the results from that phishing test, launch targeted trainings to help your employees be more discerning clickers
    • Every month or quarter, send out another phishing campaign
    • Track improvements down to individual users over time

    This system is updated continuously with new phishing templates that you can use to phish your law firm, learning who is vulnerable to scams and who needs training.

    The KnowBe4 system is simple and yet incredibly effective in helping you to build your first line of defense against cyber attackers who know that the weakest chink in your law firm security system is your employees!

    Are you worried about your employees clicking on a phishing scam? Contact me for a free demo of KnowBe4 today!, 303-800-5408


Leave a Reply